Static NAT on Cisco IOS

Let’s take a look at how to configure static NAT on a Cisco router. Here’s the topology I will use:

Above you see 3 routers called Host, NAT and Web1. Imagine our host is on our LAN and the webserver is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.

There’s a cool trick on our routers that we can use. It’s possible to disable “routing” on a router which turns it into a normal host that requires a default gateway. This is very convenient because it will save you the hassle of connecting real computers/laptops to GNS3.

Host(config)#no ip routing

Web1(config)#no ip routing

Use no ip routing to disable the routing capabilities. The routing table is now gone, let me show you:

Host#show ip route
Default gateway is not set
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty

Web1#show ip route
Default gateway is not set
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty

As you can see the routing table is gone. We’ll have to configure a default gateway on router Host and Web1 or they won’t be able to reach each other:

Host(config)#ip default-gateway 192.168.12.2

Web1(config)#ip default-gateway 192.168.23.2

Both routers can use router NAT as their default gateway. Let’s see if they can reach each other:

And it will reply with an IP packet that has source address 192.168.23.3 and destination address 192.168.12.1.

Now let’s configure NAT so you can see the difference:

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat inside

NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat outside

First we’ll have to configure the inside and outside interfaces. Our host is the “LAN” side so it’s the inside. Our webserver is “on the Internet” so it’s the outside of our network. Now we can configure our static NAT rule:

Let’s say one of the internal hosts 10.0.0.1 is being natted to 172.16.0.10 on ASA0. When the edge switch sends out an ARP request to get the mac address of 172.168.0.10 IP address, how would ASA0 know it has to respond to the ARP request even though the IP is not attached to any interface? Why would ASA1 not respond to the same ARP request?

The ARP request would come from the 3560 router saying “I need the MAC address of the dev